Ubuntu
tomcat6 package

tomcat <6.0.18: Directory Traversal (CVE-2008-2938)

Bug #256802 reported by Emanuele Gentili
256
Affects Status Importance Assigned to Milestone
tomcat5.5 (Debian)
Fix Released
Unknown
tomcat5.5 (Ubuntu)
Fix Released
Low
Thierry Carrez
Hardy
Fix Released
Low
Thierry Carrez
tomcat6 (Gentoo Linux)
Invalid
Critical
tomcat6 (Ubuntu)
Fix Released
Undecided
Thierry Carrez
Hardy
Invalid
Undecided
Unassigned

Bug Description

Severity: High
Impact: Remote File Disclosure
Vulnerable Version: prior to 6.0.18

As Apache Security Team, this problem occurs because of JAVA side.
If your context.xml or server.xml allows 'allowLinking'and 'URIencoding' as
'UTF-8', an attacker can obtain your important system files.(e.g. /etc/passwd)

Reproducible: Always

Steps to Reproduce:
Exploit
If your webroot directory has three depth(e.g /usr/local/wwwroot), An
attacker can access arbitrary files as below. (Proof-of-concept)

http://www.target.com/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar

References:
 - http://tomcat.apache.org/security.html
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938

Emanuele Gentili (emgent)
Changed in tomcat6:
importance: Undecided → High
status: New → Confirmed
Changed in tomcat5.5:
status: New → Confirmed
Changed in tomcat6:
importance: High → Undecided
Bug Watch Updater (bug-watch-updater)
Changed in tomcat6:
status: Unknown → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in tomcat6:
status: Confirmed → Invalid
Thierry Carrez (ttx)
Changed in tomcat6:
assignee: nobody → tcarrez
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.18-0ubuntu1

---------------
tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low

  * New upstream version (LP: #260016)
    - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
    - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
    - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
  * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
  * control: Improve short descriptions for the binary packages
  * copyright: Added link to /usr/share/common-licenses/Apache-2.0
  * control: To pull the right JRE, libtomcat6-java now depends on
    default-jre-headless | java6-runtime-headless

 -- Thierry Carrez <email address hidden> Fri, 22 Aug 2008 09:15:11 +0200

Changed in tomcat6:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote :

That would be the patch for the 5.5 line: http://svn.apache.org/viewvc?view=rev&revision=678137

Changed in tomcat5.5:
importance: Undecided → Low
Revision history for this message
Thierry Carrez (ttx) wrote :

No, that would rather be this one: http://svn.apache.org/viewvc?view=rev&revision=681065

Thierry Carrez (ttx)
Changed in tomcat5.5:
assignee: nobody → tcarrez
status: Confirmed → In Progress
Bug Watch Updater (bug-watch-updater)
Changed in tomcat5.5:
status: Unknown → New
Revision history for this message
dfiguero (gargamel-) wrote :

Is there a patch for tomcat5.5 that fixes CVE-2008-1947?

Revision history for this message
Thierry Carrez (ttx) wrote :

CVE-2008-1947 is fixed in 5.5.26-3
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484643
Look at changes in HTMLHostManagerServlet.java in the diff.gz

Jamie Strandboge (jdstrand)
Changed in tomcat6:
status: New → Invalid
Thierry Carrez (ttx)
Changed in tomcat5.5:
assignee: nobody → tcarrez
importance: Undecided → Low
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat5.5 - 5.5.26-3ubuntu1

---------------
tomcat5.5 (5.5.26-3ubuntu1) intrepid; urgency=low

  * Fix tomcat5.5 Java environment to match status of Java in intrepid:
    - control: Moved Java runtime deps to libtomcat5.5-java
    - control: Depends on default-jre-headless | java2-runtime-headless
    - tomcat5.5.init: Fix JVM list to match java2-runtime-headless
    - rules, control: Builds with default-jdk, libecj-java build-dep added
    - Fixes LP: #212521, LP: #179447
  * tomcat5.5.postinst: Removed superfluous /etc/tomcat5.5/tomcat5.5 linking
  * rules, tomcat5.5.init: implement TearDown spec
  * tomcat5.5.install: don't install catalina.policy (LP: #112626)
  * Fix CVE-2008-1232 cross-site scripting vulnerability (LP: #256926)
  * Fix CVE-2008-2370 information disclosure vulnerability (LP: #256922)
  * Fix CVE-2008-2938 directory traversal (LP: #256802)

 -- Thierry Carrez <email address hidden> Wed, 10 Sep 2008 12:00:09 +0200

Changed in tomcat5.5:
status: In Progress → Fix Released
Jamie Strandboge (jdstrand)
Changed in tomcat5.5:
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in tomcat5.5:
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in tomcat6 (Gentoo Linux):
status: Invalid → Unknown
Bug Watch Updater (bug-watch-updater)
Changed in tomcat6 (Gentoo Linux):
importance: Unknown → Critical
Bug Watch Updater (bug-watch-updater)
Changed in tomcat6 (Gentoo Linux):
status: Unknown → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.